certMILS: Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats

(EU, Horizon 2020)


certMILS develops a security certification methodology for Cyber-physical systems (CPS). CPS are characterised by safety-critical nature, complexity, connectivity, and open technology. A common downside to CPS complexity and openness is a large attack surface and a high degree of dynamism that may lead to complex failures and irreparable physical damage. The legitimate fear of security or functional safety vulnerabilities in CPS results in arduous testing and certification processes. Once fielded, many CPS suffer from the motto: never change a running system.

certMILS increases the economic efficiency and European competitiveness of CPS development, while demonstrating the effectiveness of safety & security certification of composable systems.

The project employs a security-by-design concept originating from the avionics industry: Multiple Independent Levels of Security (MILS), which targets controlled information flow and resource usage amongst software applications.

certMILS reduces certification complexity, promotes re-use, and enables secure updates to CPS throughout its lifecycle by providing certified separation of applications, i.e. if an application within a complex CPS fails or starts acting maliciously, other applications are unaffected.

Security certification of complex systems to medium-high assurance levels is not solved today. The existing monolithic approaches cannot cope with the complexity of modern CPS. certMILS uses ISO/IEC 15408 and IEC 62443 to develop and applies a compositional security certification methodology to complex composable safetycritical systems operating in constantly evolving hostile environments. certMILS core results are standardised in a protection profile.

certMILS develops three composable industrial CPS pilots:

  • smart grid,
  • railway,
  • subway,

certifies security of critical re-useable components, and ensures security certification for the pilots by certification labs in three EU countries with involvement of the authorities.


Project period

4 years  (01.01.2017 - 31.12.2020)

Research grant

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 731456

Industry Support

The Institute is supported by the company ANSYS / Esterel with licences for the formal software modelling system SCADE. The software is used for academic research in the openETCS and certMILS project and in education especially for embedded systems.

Principal investigators

Foto Thorsten Schulz

Thorsten Schulz

Foto Frank Golatowski

Frank Golatowski

Tel.: +49 381 498 7274
Raum: 103

Foto Dirk Timmermann

Prof. Dr.-Ing.
Dirk Timmermann

Tel.: +49 381 498 7250
Raum: 105

Foto Christian Haubelt

Prof. Dr.-Ing. habil.
Christian Haubelt

Tel.: +49 381 498 7280
Raum: 101


Benjamin Rother, Frank Golatowski, Zeeshan Ansar, Don Kuzhiyelil, Stefan Resch, Reinhard Hametner, Prashant Pathak:
Analysis of Safety-Critical Communication Protocols for On-Premise SIL4 Cloud in Railways
In Proceedings of the 4th International Conference Reliability, Safety, and Security of Railway Systems (RSSRail 2022),  pp. 211–220, DOI: 10.1007/978-3-031-05814-1_15, Paris, Frankreich, Juni 2022

Andreas Hohenegger, Gerald Krummeck, Janie Baños, Alvaro Ortega, Michal Hager, Jiri Sterba, Tomas Kertis, Petr Novobilsky, Jan Prochazka, Benito Caracuel, Ana Lourdes Sanz, Francisco Ramos, Holger Blasum, Mario Brotz, Caspar Gries, Torsten Vögler, Jan Neškudla, Jan Rollo, Lisa Burgstaller, Martina Truskaller, Klaus-Michael Koch, Technikon, Reinhard Hametner, Sandro Rauscher, Peter Tummeltshammer, Thales Austria, Frank Golatowski, Thorsten Schulz:
Security certification experience for industrial cyberphysical systems using Common Criteria and IEC 62443 certifications in certMILS
In Proceedings of the 4th IEEE International Conference on Industrial Cyber-Physical Systems (ICPS), pp. 25-30, DOI: 10.1109/ICPS49255.2021.9468241, Victoria, BC, Kanada, Mai 2021

Thorsten Schulz, Frank Golatowski, Dirk Timmermann:
Integration Approach for Communications-based Train Control Applications in a High Assurance Security Architecture
In Proceedings of the International Conference on Reliability, Safety, and Security of Railway Systems 2019 (RSSRail), pp. 272-283, DOI: 10.1007/978-3-030-18744-6_18, Lille, Frankreich, Juni 2019 (Best Student Paper Award)

Thorsten Schulz, Caspar Gries, Frank Golatowski, Dirk Timmermann:
Strategy for Security Certification of High Assurance Industrial Automation and Control Systems
In Proceedings of the IEEE 13th International Symposium on Industrial Embedded Systems (SIES), pp. 1-4, ISSN: 2150-3117, DOI: 10.1109/SIES.2018.8442081, Graz, Österreich, August 2018

Thorsten Schulz, Frank Golatowski, Dirk Timmermann:
In Search for a Simple Secure Protocol forSafety-Critical High-Assurance Applications
In Proceedings of the International Workshop on MILS: Architecture and Assurance for Secure Systems, pp. 1-4, DOI: 10.5281/zenodo.1306101, Luxemburg, Luxemburg, Juni 2018

Thorsten Schulz, Frank Golatowski, Dirk Timmermann:
Evaluation of a Formalized Encryption Library for Safety-Critical Embedded Systems Folien
Proceeding of the IEEE IES International Conference on Industrial Technology, Toronto, Canada, März 2017

Frank Golatowski, Thorsten Schulz, Mehmet Özer, Philipp Gorski:
Zugsteuerung nach dem Baukastenprinzip
In Elektronik, Nr. 18, pp. 42-49, ISSN: 0013-5658, Haar, Deutschland, September 2016